Threat description




Cryptolocker encrypts files on the compromised computer and demands a ransom to provide the decryption key needed to decrypt the files.


Automatic action

F-Secure detects Cryptolocker malware using a variety of generic detections. Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

Restore from backup

Like most ransomware, though the malware itself can be removed, the encryption used to take the files hostage is sufficient to make it very difficult to decrypt the files without the necessary decryption key.

In such circumstances, the recommended course of action is to report the crime to the relevant authorities and restore the affected data from a backup.

Technical Details

Cryptolocker is ransomware that is spread by both malicious file attachments to email messages and via the Gameover Zeus botnet. When Cryptolocker is run, it encrypts files on the compromised machine and displays a message informing the user that a decryption key must be purchased in order to recover access to the files held at ransom.

For more information, see:

Further analysis

If you believe you have encountered an undetected Cryptolocker sample, please send it to us for analysis via our Submit A Sample (SAS) page.


Update: 10 February, 2015: Details of the CTB-Locker ransomware which were originally posted in this description have now been moved to a separate description, Trojan:W32/CTB-Locker, to minimize confusion between these two ransomware families.

Submit a Sample

Suspect a file or URL was wrongly detected? Send it to our Labs for further analysis

Submit a Sample

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

More Info